Critical Infrastructure Operator — NIS2 Compliance
End-to-end NIS2 Directive compliance implementation for a European critical infrastructure operator managing energy distribution assets across multiple EU member states. Classified as an essential entity under Directive 2022/2555.
Context
A European critical infrastructure operator engaged Intarmour to design and implement a comprehensive NIS2 Directive compliance programme. The organisation managed energy distribution assets spanning multiple EU member states, classified as an essential entity within the energy sector under Directive 2022/2555, subjecting it to the most stringent requirements for risk management, governance, incident reporting, and supply chain security.
Growth through a decade of acquisitions had created a fragmented technology landscape with inconsistent security practices, disparate monitoring, and no unified cybersecurity governance framework. Approaching national transposition deadlines created urgent remediation requirements.
Challenge
The NIS2 transposition deadline was approaching and the organisation had not commenced structured compliance activities. Internal assessment had identified the Directive’s broad scope, but translating requirements into implementable controls across a multi-jurisdictional IT/OT environment exceeded internal capabilities. The gap was substantial across every requirement domain.
Legacy OT presented the most significant technical challenge. SCADA systems, remote terminal units, and HMIs had been deployed with availability as the primary criterion, security addressed only at the perimeter if at all. Many systems could not support modern security agents without risking operational disruption. IT/OT convergence created lateral movement pathways from corporate environments to systems controlling physical infrastructure.
The board had no formal cybersecurity governance responsibilities, no cyber risk reporting, and no process for security investment oversight. Under NIS2, management bodies bear direct responsibility and must undergo appropriate training. No framework existed for translating technical risk into board-consumable formats.
Incident reporting procedures were wholly inadequate. The Directive mandates 24-hour early warning, 72-hour notification, and one-month final reports. The organisation had no incident classification methodology, no CSIRT communication channels, and no cross-border notification procedures. The supply chain — over forty vendors spanning equipment manufacturers, contractors, and managed service operators — had never been assessed for cybersecurity risk, and contractual provisions did not address NIS2 requirements.
Implementation
Intarmour designed a phased programme across five workstreams aligned to NIS2 requirement domains, sequenced to address highest-risk gaps before the transposition deadline while building foundations for sustained compliance.
The first workstream conducted definitive entity classification across each operating jurisdiction, accounting for national transposition variations. A detailed gap analysis benchmarked current practices against requirements, producing a quantified compliance deficit informing prioritisation and resource allocation.
The governance workstream established board-level cybersecurity oversight, integrating into existing corporate governance rather than creating parallel structures. This included a quarterly reporting format presenting risk in operational and financial terms, and a board training programme covering NIS2 obligations, personal liability, the organisation’s risk landscape, and governance mechanics.
Risk management implementation established a structured methodology for both IT and OT environments, accommodating OT’s distinct priorities where availability and safety take precedence. The IT/OT boundary was redesigned to eliminate lateral movement pathways. Incident reporting was built from the ground up: classification criteria aligned with NIS2 severity thresholds, notification templates, designated authority contacts, and rehearsed cross-border procedures.
The supply chain security programme implemented a tiered vendor assessment framework. The top twenty vendors received comprehensive security assessments covering practices, incident responsecapabilities, and contractual obligations. Revised contractual provisions incorporated NIS2-aligned requirements, notification obligations, and audit rights. Remaining vendors were addressed through standardised questionnaires with automated risk scoring.
Programme Workstreams
Entity Classification & Gap Analysis
NIS2 classification across all jurisdictions. Quantified compliance deficit benchmarking current practices against requirements.
Governance Framework Design
Board-level cybersecurity oversight with quarterly reporting. Board training covering obligations and personal liability.
Risk Management Implementation
Structured methodology for IT and OT environments. IT/OT boundary redesign eliminating lateral movement pathways.
Incident Reporting Procedures
Classification criteria aligned to NIS2 severity thresholds. Templates, authority contacts, and cross-border notification procedures.
Supply Chain Security Programme
Tiered vendor assessment. Comprehensive evaluation of top twenty critical suppliers. Revised contracts with NIS2-aligned requirements.
Board Training & Awareness
Structured training on NIS2 obligations, personal liability, and risk landscape. Designed for ongoing competence, not one-time compliance.
Outcome
NIS2 compliance was achieved within ten weeks, ahead of applicable transposition deadlines. The programme transformed cybersecurity governance from an informal function into a structured programme with board oversight, defined risk management, and established reporting. Quarterly reporting cycles and annual reviews were embedded into corporate governance calendars.
Incident reporting was validated through tabletop exercises across NIS2 severity classifications. The organisation demonstrated 24-hour early warning capability including cross-border scenarios. CSIRT communication channels were established and tested, and the incident response team completed comprehensive notification training.
Supply chain assessment covered the twenty most critical vendors, representing approximately seventy percent of external technology dependency. Findings informed remediation requirements incorporated into revised contracts. Three vendors required significant improvements, with remediation plans and contractual milestones established.
The board governance programme received particularly positive reception. Board members reported materially improved capacity to understand and oversee cybersecurity risk. The governance framework was subsequently cited as a model for broader operational risk oversight across non-cyber domains.
Key Learnings
Board governance is the foundation, not an afterthought. NIS2 places explicit responsibility on management bodies. Organisations treating governance as a checkbox create ongoing exposure. Effective oversight requires board members who understand both obligations and the risk landscape.
OT environments require specialised security approaches. Standard IT frameworks cannot be applied to OT without introducing operational risk. The methodology must accommodate distinct priorities where availability and safety take precedence.
Cross-border compliance requires jurisdiction-specific analysis. NIS2 establishes a harmonised framework, but national transposition introduces variations in classification, notification, and supervisory structures. Multi-state operators must account for these rather than assuming uniform implementation.
Supply chain security is a programme, not a project. Initial vendor assessment provides a point-in-time view. Sustainable compliance requires ongoing assessment, contractual oversight mechanisms, and escalation procedures for vendors failing to maintain standards.
Incident reporting readiness requires rehearsal, not documentation alone. The 24-hour early warning requirement demands practiced capability that functions under stress. Tabletop exercises are essential to validate that procedures translate into operational reality.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.